After 12 years in business, and seeing countless cyber security threats, you would think that nothing would alarm us. But, something that we read today raised the hair on Adaptive’s hackles.
In excerpts from an article by the Guardian, they wrote, “Five allied countries have warned that ‘evolving intelligence’ indicates Russia is poised to launch powerful cyberattacks against rivals supporting Ukraine.
Members of the “Five Eyes” intelligence-sharing network – the US, Britain, Canada, Australia, and New Zealand – said Moscow could also involve existing cybercrime groups in launching attacks on governments, institutions, and businesses.
‘Evolving intelligence indicates that the Russian government is exploring options for cyberattacks,’ they said in an official cyber threat alert.
Russia’s invasion of Ukraine could expose organizations to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic sanctions imposed on Russia as well as materiel support provided by the United States, Canada, NATO allies, and sympathetic partners.”
Wednesday’s alert said Russian state-sponsored cyber actors have the ability to compromise IT networks, steal large amounts of data from them while remaining hidden, deploy destructive malware, and lock down networks with ‘distributed denial of service’ attacks.
The alert identified more than a dozen hacking groups, both parts of Russian intelligence and military bodies and privately operated, which present threats. It warned that infrastructure could be particularly targeted in countries Moscow might want to take action against.
US, Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats – including destructive malware, ransomware, DDoS attacks, and cyber espionage – by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity,” the alert said.
US Cybersecurity and Infrastructure Security Agency Director Jen Easterly malicious cyber activity is “part of the Russian playbook”.
“Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly. Malicious cyber activity is a real risk to organizations around the world,” Sami Khoury, Head, Canadian Centre for Cyber Security, added.
And why would Canada be on Russia’s hit list? Because we are “supporting” Ukraine.
According to the CBC, “Canada has given Ukraine a considerable amount of assistance over the years. Since the annexation of Crimea, Canada has launched the Operation Unifier training program for Ukrainian troops and has contributed non-lethal aid — and lately, lethal military materiel — from its own meager stocks. Canada also has been among the most aggressive countries when it comes to sanctioning Russia.”
In other words, if you don’t take cyber security seriously in the current environment, you’re playing Russian Roulette with your business.
Before moving on, Adaptive Office Solutions would like to say that while we are with Ukraine, and wholeheartedly against the war, we also have compassion for the majority of people living in or hailing from Russia.
There’s is enough hate and discrimination in the world already. Let’s not exacerbate the situation by thinking negatively about the people of Russia. Yes… the war, Putin, and the current regime in Russia suck, as do the hackers, but let’s have compassion for the innocent people whose lives are caught in the crossfire of this tragic time in history.
Moving on… Our job, at Adaptive Office Solutions, is to protect you from the threats of cybercrime. If you’ve ignored all warnings in the past, we implore you to sit up and pay attention this time. If, in the past, you – like the people of Ukraine – never thought you’d be attacked, you were both wrong.
But, that doesn’t have to define the future. All you need to win in the long run are allies and preparation. We are your allies and we will help you prepare, for what is sure to be the most intense cyberattack period in history.
If you think your business is too small to be targeted, you’re wrong. Hackers know that small businesses are easy targets. It’s not a matter of IF you’ll be targeted, but WHEN.
So, let’s break down the threats mentioned above. We’ll talk about what the threats are, how they can affect your business, and what you can do to prevent them NOW.
What is Malware?
According to excerpts from an article by Cisco, “Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass amounts.
7 Types of malware
Viruses are a subgroup of malware. A virus is malicious software attached to a document or file that supports macros to execute its code and spread from host to host. Once downloaded, the virus will lay dormant until the file is opened and in use. Viruses are designed to disrupt a system’s ability to operate. As a result, viruses can cause significant operational issues and data loss.
Worms are a malicious software that rapidly replicates and spreads to any device within the network. Unlike viruses, worms do not need host programs to disseminate. A worm infects a device via a downloaded file or a network connection before it multiplies and disperses at an exponential rate. Like viruses, worms can severely disrupt the operations of a device and cause data loss.
Trojan viruses are disguised as helpful software programs. But once the user downloads it, the Trojan virus can gain access to sensitive data and then modify, block, or delete the data. This can be extremely harmful to the performance of the device. Unlike normal viruses and worms, Trojan viruses are not designed to self-replicate.
Spyware is malicious software that runs secretly on a computer and reports back to a remote user. Rather than simply disrupting a device’s operations, spyware targets sensitive information and can grant remote access to predators. Spyware is often used to steal financial or personal information. A specific type of spyware is a keylogger, which records your keystrokes to reveal passwords and personal information.
Adware is malicious software used to collect data on your computer usage and provide appropriate advertisements to you. While adware is not always dangerous, in some cases adware can cause issues for your system. Adware can redirect your browser to unsafe sites, and it can even contain Trojan horses and spyware. Additionally, significant levels of adware can slow down your system noticeably. Because not all adware is malicious, it is important to have protection that constantly and intelligently scans these programs.
Ransomware is malicious software that gains access to sensitive information within a system, encrypts that information so that the user cannot access it, and then demands a financial payout for the data to be released. Ransomware is commonly part of a phishing scam. By clicking a disguised link, the user downloads the ransomware. The attacker proceeds to encrypt specific information that can only be opened by a mathematical key they know. When the attacker receives payment, the data is unlocked.
Fileless malware is a type of memory-resident malware. As the term suggests, it is malware that operates from a victim’s computer’s memory, not from files on the hard drive. Because there are no files to scan, it is harder to detect than traditional malware. It also makes forensics more difficult because the malware disappears when the victim’s computer is rebooted. In late 2017, the Cisco Talos threat intelligence team posted an example of fileless malware that they called DNSMessenger.
How do I protect my network against malware?
Typically, businesses focus on preventative tools to stop breaches. By securing the perimeter, businesses assume they are safe. Some advanced malware, however, will eventually make its way into your network. As a result, it is crucial to deploy technologies that continually monitor and detect malware that has evaded perimeter defenses. Sufficient advanced malware protection requires multiple layers of safeguards along with high-level network visibility and intelligence.
How do I detect and respond to malware?
Malware will inevitably penetrate your network. You must have defenses that provide significant visibility and breach detection. In order to remove malware, you must be able to identify malicious actors quickly. This requires constant network scanning. Once the threat is identified, you must remove the malware from your network. Today’s antivirus products are not enough to protect against advanced cyber threats. Learn how to update your antivirus strategy.
Yes, we know this was listed in the Malware category, but unlike the other descriptions, this topic can’t be thoroughly understood in a single paragraph. Let’s go a bit deeper…
In excerpts from an article by CheckPoint, they wrote, “Ransomware is a malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files. Some variants have added additional functionality – such as data theft – to provide further incentive for ransomware victims to pay the ransom.
Ransomware has quickly become the most prominent and visible type of malware. Recent ransomware attacks have impacted hospitals’ ability to provide crucial services, crippled public services in cities, and caused significant damage to various organizations.
The COVID-19 pandemic also contributed to the recent surge in ransomware. As organizations rapidly pivoted to remote work, gaps were created in their cyber defenses. Cybercriminals have exploited these vulnerabilities to deliver ransomware, resulting in a surge of ransomware attacks. In Q3 2020, ransomware attacks increased by 50% compared to the first half of that year.
How Ransomware Works
In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim. While the implementation details vary from one ransomware variant to another, all share the same core three stages:
Step 1. Infection and Distribution Vectors
Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors.
One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built-in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.
Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.
Others may attempt to infect systems directly, like how WannaCry exploited the EternalBlue vulnerability. Most ransomware variants have multiple infection vectors.
Step 2. Data Encryption
After ransomware has gained access to a system, it can begin encrypting its files. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. Most ransomware variants are cautious in their selection of files to encrypt to ensure system stability. Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult.
Step 3. Ransom Demand
Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.
While these three core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps. For example, ransomware variants like Maze perform file scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.
How to Protect Against Ransomware
Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following best practices can reduce an organization’s exposure to ransomware and minimize its impacts:
Cyber Awareness Training and Education: Ransomware is often spread using phishing emails. Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered to be one of the most important defenses an organization can deploy.
Continuous data backups: Ransomware’s definition says that malware is designed to make it so that paying a ransom is the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations recover from ransomware attacks.
Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.
User Authentication: Accessing services like RDP with stolen user credentials is a favorite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password
Reduce the Attack Surface
With the high potential cost of a ransomware infection, prevention is the best ransomware mitigation strategy. This can be achieved by reducing the attack surface by addressing:
- Phishing Messages
- Unpatched Vulnerabilities
- Remote Access Solutions
- Mobile Malware
Deploy Anti-Ransomware Solution
The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system. Anti-ransomware solutions are built to identify those fingerprints. Common characteristics of a good anti-ransomware solution include:
- Wide variant detection
- Fast detection
- Automatic restoration
- Restoration mechanism not based on common built-in tools (like ‘Shadow Copy’, which is targeted by some ransomware variants)
How to Mitigate an Active Ransomware Infection
A ransom message is not something anyone wants to see on their computer as it reveals that a ransomware infection was successful. At this point, some steps can be taken to respond to an active ransomware infection, and an organization must make the choice of whether or not to pay the ransom.
Many successful ransomware attacks are only detected after data encryption is complete and a ransom note has been displayed on the infected computer’s screen. At this point, the encrypted files are likely unrecoverable, but some steps should be taken immediately:
Quarantine the Machine: Some ransomware variants will try to spread to connected drives and other machines. Limit the spread of the malware by removing access to other potential targets.
Leave the Computer On: Encryption of files may make a computer unstable, and powering off a computer can result in loss of volatile memory. Keep the computer on to maximize the probability of recovery.
Create a Backup: Decryption of files for some ransomware variants is possible without paying the ransom. Make a copy of encrypted files on removable media in case a solution becomes available in the future or a failed decryption effort damages the files.
Check for Decryptors: Check with the No More Ransom Project to see if a free decryptor is available. If so, run it on a copy of the encrypted data to see if it can restore the files.
Ask For Help: Computers sometimes store backup copies of files stored on them. A digital forensics expert may be able to recover these copies if they have not been deleted by the malware.
Wipe and Restore: Restore the machine from a clean backup or operating system installation. This ensures that the malware is completely removed from the device.”
Distributed Denial-of-Service (DDoS) Attacks
What is DDoS Attack?
In excerpts from an article by Fortinet, they wrote, “DDoS Attack means “Distributed Denial-of-Service (DDoS) Attack” and it is a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.
Motivations for carrying out a DDoS vary widely, as do the types of individuals and organizations eager to perpetuate this form of cyberattack. Some attacks are carried out by disgruntled individuals and hacktivists wanting to take down a company’s servers simply to make a statement, have fun by exploiting cyber weakness, or express disapproval.
Other distributed denial-of-service attacks are financially motivated, such as a competitor disrupting or shutting down another business’s online operations to steal business away in the meantime. Others involve extortion, in which perpetrators attack a company and install hostageware or ransomware on their servers, then force them to pay a large financial sum for the damage to be reversed.
DDoS attacks are on the rise, and even some of the largest global companies are not immune to being “DDoS’ed”. The largest attack in history occurred in February 2020 to none other than Amazon Web Services (AWS). DDoS ramifications include a drop in legitimate traffic, lost business, and reputation damage.
The Internet of Things (IoT) continues to proliferate as the number of remote employees working from home increase the number of devices connected to a network. The security of each IoT device may not necessarily keep up, leaving the network to which it is connected vulnerable to attack. As such, the importance of DDoS protection and mitigation is crucial.
Botnets are the primary way distributed denial-of-service attacks are carried out. The attacker will hack into computers or other devices and install a malicious piece of code, or malware called a bot. Together, the infected computers form a network called a botnet. The attacker then instructs the botnet to overwhelm the victim’s servers and devices with more connection requests than they can handle.
What is DDOS Attack: Attack Symptoms and How to Identify
One of the biggest issues with identifying a DDoS attack is that the symptoms are not unusual. Many of the symptoms are similar to what technology users encounter every day, including slow upload or download performance speeds, the website becoming unavailable to view, a dropped internet connection, unusual media and content, or an excessive amount of spam. Further, a DDoS attack may last anywhere from a few hours to a few months, and the degree of attack can vary.
Even if you know what is a DDoS attack, It is extremely difficult to avoid attacks because detection is a challenge. This is because the symptoms of the attack may not vary much from typical service issues, such as slow-loading web pages, and the level of sophistication and complexity of DDoS techniques continues to grow.
Further, many companies welcome a spike in internet traffic, especially if the company recently launched new products or services or announced market-moving news. As such, prevention is not always possible, so it is best for an organization to plan a response for when these attacks occur.
Once a suspected attack is underway, an organization has several options to mitigate its effects.
Organizations should regularly conduct risk assessments and audits on their devices, servers, and network. While it is impossible to completely avoid a DDoS, a thorough awareness of both the strengths and vulnerabilities of the organization’s hardware and software assets goes a long way. Knowing the most vulnerable segments of an organization’s network is key to understanding which strategy to implement to lessen the damage and disruption that a DDoS attack can impose.
If an organization believes it has just been victimized by a DDoS, one of the first things to do is determine the quality or source of the abnormal traffic. Of course, an organization cannot shut off traffic altogether, as this would be throwing out the good with the bad.
As a mitigation strategy, use an Anycast network to scatter the attack traffic across a network of distributed servers. This is performed so that the traffic is absorbed by the network and becomes more manageable.
Black Hole Routing
Another form of defense is black hole routing, in which a network administrator—or an organization’s internet service provider—creates a blackhole route and pushes traffic into that black hole. With this strategy, all traffic, both good and bad, is routed to a null route and essentially dropped from the network. This can be rather extreme, as legitimate traffic is also stopped and can lead to business loss.
Another way to mitigate DDoS attacks is to limit the number of requests a server can accept within a specific time frame. This alone is generally not sufficient to fight a more sophisticated attack but might serve as a component of a multipronged approach.
To lessen the impact of an application-layer or Layer 7 attack, some organizations opt for a Web Application Firewall (WAF). A WAF is an appliance that sits between the internet and a company’s servers and acts as a reverse proxy. As with all firewalls, an organization can create a set of rules that filter requests. They can start with one set of rules and then modify them based on what they observe as patterns of suspicious activity carried out by the DDoS.
If an organization believes it has just been victimized by a DDoS, one of the first things to do is determine the quality or source of the abnormal traffic. Of course, an organization cannot shut off traffic altogether, as this would be throwing out the good with the bad.
As a mitigation strategy, use an Anycast network to scatter the malicious traffic across a network of distributed servers. This is performed so that the traffic is absorbed by the network and becomes more manageable.
DDoS Protection Solution
A fully robust DDoS protection solution includes elements that help an organization in both defense and monitoring. As the sophistication and complexity level of attacks continue to evolve, companies need a solution that can assist them with both known and zero-day attacks. A DDoS protection solution should employ a range of tools that can defend against every type of DDoS attack and monitor hundreds of thousands of parameters simultaneously.”
What is Cyber Espionage?
According to excerpts from an article by VMWare, “Cyber espionage is a form of cyber attack that steals classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity.
Espionage, according to Merriam-Webster, is “the practice of spying or using spies to obtain information about the plans and activities especially of a foreign government or a competing company.”
Take this into the cyber world, and the spies are armies of nefarious hackers from around the globe who use cyber warfare for economic, political, or military gain. These deliberately recruited and highly valued cybercriminals have the technical know-how to shut down anything from government infrastructures to financial systems or utility resources. They have influenced the outcome of political elections, created havoc at international events, and helped companies succeed or fail.
Many of these attackers use advance persistent threats (APTs) as their modus operandi to stealthily enter networks or systems and remain undetected for years and years.
Eric O’Neill, a former undercover F.B.I. agent who is a National Security Specialist at Carbon Black, is quite familiar with espionage. In an article called Hacking is the New Face of Espionage, he says “the contemporary battle is fought with keyboards and software rather than dead-drops and balaclavas.” He goes on to say, with the cyber war now being fought on a global scale, there is more onus on security than ever. “Too many organizations are not taking the threat as seriously as they should,” notes O’Neill.
Cyber Spy Hunting Advice from a Former Spy
In the article above, Eric O’Neill suggests that the best defense is a good offense. Here are some of the steps that Eric recommends for battling cyber espionage:
- Understand where the threats are coming from. When cybercrime first hit the scene, there initially were stand-alone criminals working toward their own, personal agendas. According to Eric, those days are over and nation-states have wised up to the potential benefits of digital warfare and cyber espionage.
- Discover the motive. Understanding the source can provide a much better chance of discovering the motive. The reason a state actor is attacking might be entirely different from someone operating on their own accord. These reasons can range from trying to gain a competitive advantage, to disrupting a system or location. The motive of an attack can often tell a lot about the method, and vice-versa. Hence, if the method is known, there can be a greater understanding of the target, which leads to a better grasp of the method most likely to be used to infiltrate it.
- Think like a hacker. When looking for the motive, thinking like a hacker could help a company catch a hacker faster. Catching criminals doesn’t happen by accident, and when thinking like a hacker, a clearer picture of what their movements may be can emerge more quickly. Putting this into practice is imperative, not only in the aftermath of a breach, but in protecting a company from one in the first place. If a security team can get into the mindset of a hacker, it can actively seek out its own vulnerabilities, understand what tactics might be used to gain entry, and what data can be accessed using those methods.
- Identify the hacker’s techniques. Having knowledge of the potential techniques that a hacker might use can provide an invaluable weapon when fighting back against cybercriminals. A near-constant gathering of information is the key to success here. Eric recommends having as many external sensors as possible, as well as participation in a vocal community that is sharing information.
- Take a proactive approach. Developing a proactive approach to security is often the most effective way of protection. The sentiment “the best defense is having a good offense” really does ring true here, according to Eric. By taking the fight to attackers, they can be stopped in their tracks and companies can prevent breaches at the source. With more sophisticated methods being used, and a greater volume of attacks, having a strong force is mission-critical. As Eric notes, “Now is the time to start thinking like a bad guy and fight back.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at email@example.com